[Bug 2078989] [NEW] Full RELRO dependent on PIE
Mark Esler
2078989 at bugs.launchpad.net
Wed Sep 4 23:41:01 UTC 2024
Public bug reported:
Full RELRO is only used when PIE is (i.e., it is not being used for
libraries).
Full RELRO has the advantage of making the Global Offset Table (GOT) read-only,
which prevents GOT overwrite attacks. This requires resolving all dynamic
symbols at program startup, instead of lazily loading addresses. There is some
start-up performance cost to this, which we pay for PIE built binaries.
See how `-z now` is used in:
https://git.launchpad.net/ubuntu/+source/gcc-14/tree/debian/patches/gcc-distro-specs.diff
Also, should it be `-Wl,-z,now` instead of `-z now` ?
Cheers to @tobhe who identified and diagnosed this.
** Affects: gcc-14 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-14 in Ubuntu.
https://bugs.launchpad.net/bugs/2078989
Title:
Full RELRO dependent on PIE
Status in gcc-14 package in Ubuntu:
New
Bug description:
Full RELRO is only used when PIE is (i.e., it is not being used for
libraries).
Full RELRO has the advantage of making the Global Offset Table (GOT) read-only,
which prevents GOT overwrite attacks. This requires resolving all dynamic
symbols at program startup, instead of lazily loading addresses. There is some
start-up performance cost to this, which we pay for PIE built binaries.
See how `-z now` is used in:
https://git.launchpad.net/ubuntu/+source/gcc-14/tree/debian/patches/gcc-distro-specs.diff
Also, should it be `-Wl,-z,now` instead of `-z now` ?
Cheers to @tobhe who identified and diagnosed this.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2078989/+subscriptions
More information about the foundations-bugs
mailing list